Data Protection Officer : Does your company need a DPO for GDPR?

Data Protection Advisory Service: instant access to cost-effective expertise

Even for organisations that are not required under the GDPR to have a Data Protection Officer, accessing expert advice on data protection is a must.

However, finding and retaining a person with the right skills and expertise can be challenging. It may also represent a distraction from core business activities, and there may not be enough work to justify a full-time, permanent position – which also raises the risk that candidates may seek more stimulating employment elsewhere.

Building on 30 years of experience in data management and governance solutions for leading financial services organisations, Northdoor’s Data Protection Advisory Service enables organisations to access the expert skills they need rapidly, cost-effectively and within a flexible annual subscription.

The service is tailored to each organisation’s precise needs and provides a comprehensive set of activities to help address GDPR compliance.

Do you need a Data Protection Officer?

The General Data Protection Regulation (GDPR), in force from May 25^th 2018, requires certain types of organisation to appoint a Data Protection Officer. These are as follows

1. Public authorities and other public bodies. All central and local government departments, agencies and other public bodies must appoint a DPO.

2. Organisations whose core business activity is monitoring individuals regularly and systematically on a large scale. This can include running payroll services, providing standard IT support, providing email remarketing services and offering location-tracking services through apps.

3. Organisations whose core business activity consists of large-scale processing of special categories of personal data, including ethnic origin, political opinions, religious beliefs, physical and mental health, and criminal records.

However, even if your organisation does not require an official DPO, you will certainly need ongoing expert advice on data protection.

Employ or outsource?

In a job market where many experienced data-protection specialists have already been snapped up by large corporates to work as DPOs, it may be difficult for organisations to tap into the appropriate skills and knowledge. Equally, not all organisations will have enough work to keep a full-time, permanent advisor occupied.

At best, this means that they face overpaying for the services they need, and at worst, that their appointed person may soon get a better offer from an organisation that can provide a more stimulating working environment.

For smaller organisations, investing in in-house capabilities for all functions is generally economically unviable – and a potential distraction from the core business. In such cases, bringing in external advice will help address the compliance demands of the GDPR while removing the difficulty, cost and distraction of needing to find, employ and retain a permanent employee.

The Northdoor Data Protection Advisory Service offering for GDPR

To help organisations rapidly and cost-effectively access the necessary expertise for addressing GDPR compliance, Northdoor offers its Data Protection Advisory Service. With this simple annual subscription – tailored to fit your specific requirements – Northdoor assigns an expert to serve as an independent data protection specialist for your organisation.

Within the Data Protection Advisory Service, Northdoor offers a comprehensive range of services, scoped according to client need. As a guide, an entry-level service would typically cover the following activities:

Process expertise: advising on the privacy-by-design process and the data protection impact assessment (DPIA)
Representation: serving as the contact point for data protection authorities for all data protection issues, for example, liaising with the Information Commissioner’s Office
Support: overseeing data breach management and reporting
Data privacy expertise: attending and providing updates at quarterly board meetings, and serving as the contact point for staff and data subjects on privacy matters, including subject access requests.

In addition, Northdoor can provide the following services:

Outlining a GDPR compliance programme based on findings from the Northdoor GDPR Rapid Response programme report (which is a prerequisite for the Data Protection Advisory Service)
Advising generally on data protection and information security matters pertaining to the GDPR
Reviewing and advising on privacy policies, procedures and documentation
Monitoring the collation of records of personal data processing operations
Advising on the training of staff involved in data processing operations
Providing a general overview of the GDPR to senior staff, backed by deep experience.

Northdoor’s decades of experience in the protection and governance of enterprise data have enabled us to build a comprehensive portfolio of services around the GDPR. Our services are modular, highly adaptable and can be applied at all stages of any regulatory compliance programme.

The first step: a GDPR Service Assessment

Prior to any formal engagement, including the Data Protection Advisory Service, Northdoor conducts a workshop assessment to determine your existing compliance status, capability maturity and organisation-specific risks.

An overview of the regulation and its impact

A background analysis of the EU privacy frameworks
A comprehensive overview of the GDPR, including key regulatory objectives and points of differentiation to prior legislation
A detailed overview of the new requirements and how they will impact existing processes

Data protection, privacy risks and penalties

A comprehensive and granular overview of the fines and penalties for non-compliance
A facilitated group discussion about privacy risks to your organisation
The GDPR hierarchy: an overview of the regulation of the GDPR including its supervisory authorities, courts and the EDPB
An analysis of organisational risk under the GDPR, including a review of your organisation’s current data protection and privacy processes

Building a GDPR response program

Insight into the key components of an effective privacy management system: explore appropriate approaches for your organisation
An overview of assurance mechanisms, certifications, frameworks and tools used by organisations to manage GDPR privacy risk
An industry benchmark review and discussion on the applicability of key GDPR components
An open discussion on high-level management priorities, and short-, mid- and long-term GDPR compliance-focused goals
Assistance in setting measurable objectives and milestones to support over-arching goals
A formalisation of your internal privacy structure, identifying key staff and responsibilities.

Why Northdoor?

Northdoor plc is a leading corporate IT consultancy and solutions organisation with almost 30 years of experience serving clients across multiple industries, from start-ups to large blue chip firms. Building on our data management and governance experience, Northdoor has developed deep expertise in the GDPR through both research and direct engagement with clients.

We have run numerous GDPR round tables, authored extensive advisory content on the topic, and have multiple ongoing engagements with clients and prospects around the GDPR.

Northdoor’s expert GDPR services include:

Executive briefings
Assessment workshops
Process and policy development
Training and ongoing updates to staff
Plan reviews, compliance audits and reporting
Stress testing
Design and provision of technology solutions to underpin compliance, for example, data protection, data discovery, data classification, data masking, and data governance
IT security assessment and scanning services
Third-party risk assessments using our proprietary risk assessment platform.

Download Data Protection Advisory Service PDF

Data Protection Advisory Service (DPO)